Validate pulse position and error out if an invalid position is encountered.

Patch by Alex Converse (alex converse gmail com)

Originally committed as revision 15340 to svn://svn.ffmpeg.org/ffmpeg/trunk

1 files changed, 15 insertions, 4 deletions

diff --git a/libavcodec/aac.c b/libavcodec/aac.c
index 87005ab8e9..12037e0339 100644
--- a/libavcodec/aac.c
+++ b/libavcodec/aac.c
@@ -594,16 +594,24 @@ static int decode_scalefactors(AACContext * ac, float sf[120], GetBitContext * g
 /**
  * Decode pulse data; reference: table 4.7.
  */
-static void decode_pulses(Pulse * pulse, GetBitContext * gb, const uint16_t * swb_offset) {
-    int i;
+static int decode_pulses(Pulse * pulse, GetBitContext * gb, const uint16_t * swb_offset, int num_swb) {
+    int i, pulse_swb;
     pulse->num_pulse = get_bits(gb, 2) + 1;
-    pulse->pos[0]    = swb_offset[get_bits(gb, 6)];
+    pulse_swb        = get_bits(gb, 6);
+    if (pulse_swb >= num_swb)
+        return -1;
+    pulse->pos[0]    = swb_offset[pulse_swb];
     pulse->pos[0]   += get_bits(gb, 5);
+    if (pulse->pos[0] > 1023)
+        return -1;
     pulse->amp[0]    = get_bits(gb, 4);
     for (i = 1; i < pulse->num_pulse; i++) {
         pulse->pos[i] = get_bits(gb, 5) + pulse->pos[i-1];
+        if (pulse->pos[i] > 1023)
+            return -1;
         pulse->amp[i] = get_bits(gb, 4);
     }
+    return 0;
 }
 
 /**
@@ -811,7 +819,10 @@ static int decode_ics(AACContext * ac, SingleChannelElement * sce, GetBitContext
                 av_log(ac->avccontext, AV_LOG_ERROR, "Pulse tool not allowed in eight short sequence.\n");
                 return -1;
             }
-            decode_pulses(&pulse, gb, ics->swb_offset);
+            if (decode_pulses(&pulse, gb, ics->swb_offset, ics->num_swb)) {
+                av_log(ac->avccontext, AV_LOG_ERROR, "Pulse data corrupt or invalid.\n");
+                return -1;
+            }
         }
         if ((tns->present = get_bits1(gb)) && decode_tns(ac, tns, gb, ics))
             return -1;